The main benefit of a chroot jail is that the jail will limit the portion of the file system the DNS daemon program can see to the root directory of the jail. Additionally, since the jail only needs to support DNS, the programs related
to ISCBIND/DNS available in the jail can be extremely limited. Most importantly, there is no need for setuid-root programs, which can be used to gain root access and break out of the jail.

Securing ISCBIND/DNS

This part focuses on preventing ISCBIND/DNS from being used as a point of break-in to the system hosting it. Since ISCBIND/DNS
performs a relatively large and complex function, the potential for bugs that affect security is rather high with this software. In fact, there have been exploitable bugs in the past that allowed a remote attacker to obtain root access to hosts
running ISCBIND/DNS. To minimize this risk, ISCBIND/DNS can be run as a non-root user, which will limit any damage to what can
be done as a normal user with a local shell. Of course, this is not enough for the security requirements of most DNS servers, so an additional step can be taken - that is, running ISCBIND
in a chroot jail.

:
The named binary program must be in a directory listed within your PATH environment variable for this to work. For the rest of the documentation, I'll assume the path of your original named program
is /usr/sbin/named.

The following are the necessary steps to run ISCBIND/DNS software in a chroot jail:

We must find the shared library dependencies of named, named is the DNS daemon. These will need to be copied into the chroot jail later.

To find the shared library dependencies of named, execute the following command:

Make a note of the files listed above; you will need these later in our steps.

Now we must set up the chroot environment, and create the root directory of the jail. We've chosen /chroot/named because we want to put this on its own separate file system to prevent file system attacks. Early
in our Linux installation procedure we created a special partition /chroot for this purpose.

:
The owner of the /chroot/named/var/named directory and all files in this directory must be the process name named under the slave server and only
the slave server or you wouldn't be able to make a zone transfer.

To make the named directory and all its files own by the named process name under the slave server, use the command:

A file with the +i attribute cannot be modified, deleted or renamed; no link can be created to this file and no data can be written to it. Only the superuser can set or clear this attribute.

Add a new UID and a new GID for running the daemon named if this is not already set. This is important because running it as root defeats
the purpose of the jail, and using a different user id that already exists on the system can allow your services to access each others' resources.
Check the /etc/passwd and /etc/group files for a free UID/GID number available. In our example we'll use the number 53 and the name named.